From nobody Wed Apr 24 11:36:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+104991+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+104991+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1684367795; cv=none; d=zohomail.com; s=zohoarc; b=I2q+CBH7VtuJ0avvAJht0gI055Z0QSipPNYxzZxLnALtq0AF2Y+rj3Qe2UfZ1Zm3J1aWx9+VMn9ywn9bOElqFAGk8CIcRpBLczkGQ7yEkVFMiEnHcfQiD5MByxELOf1R4rH70kHfBK9jgYHiaQ0Q75+iOKdPdFfEXExYVmss+lw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1684367795; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=TfKXNVF0Uwnkjjp63rDaqIw8D0g/WrNGFattkKz14+U=; b=RxdCdYt58UupLJXbso9wa5X0jiCdXiojR9dp79Zd2DvW1mNXoqtqOIvflX3y340HEl2M9ptMtpjbNzn1VbfDINvcAVWSJWJgH0HtCp/ZxyabeMPBAaj8R327gXksp9LHqpNsDi1myUcftDx9AuUa7bZcN+dKw8MY7CtFChkfDmg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+104991+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1684367795086474.5759524783806; Wed, 17 May 2023 16:56:35 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id cAEtYY1788612xERCROXV5iR; Wed, 17 May 2023 16:56:34 -0700 X-Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by mx.groups.io with SMTP id smtpd.web10.3199.1684367793145561615 for ; Wed, 17 May 2023 16:56:33 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="332275966" X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; d="scan'208";a="332275966" X-Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:33 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="876208861" X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; d="scan'208";a="876208861" X-Received: from slakkim-mobl.amr.corp.intel.com ([10.212.56.110]) by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:32 -0700 From: "Subash Lakkimsetti" To: devel@edk2.groups.io Cc: Subash Lakkimsetti , Zhiguang Liu , Ray Ni , Gua Guo Subject: [edk2-devel] [PATCH v2 1/6] MdeModulePkg: universal payload HOB for secure boot info Date: Wed, 17 May 2023 16:55:29 -0700 Message-Id: <7527317a88aea6c1e108712c230a14f5a4cfbf61.1684367408.git.subash.lakkimsetti@intel.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,subash.lakkimsetti@intel.com X-Gm-Message-State: qnE3adTNc0yZ0IIYRuVHhV3sx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1684367794; bh=kWFmFOl5HHLxqfaFMCuMJboG97bif1grkE9RV7AZQsQ=; h=Cc:Date:From:Reply-To:Subject:To; b=XcD3rapt65pnLDgbZAtXVKY4OkZ1+XHe+a8WHiHrRWkv9YxaoRB1VC1FPvRsKi5cOoG 6jmpimx6gMWMf4Q/HNrW77bzi/gUP/FEhsIuWOstbO3877AXiprkz9nxd+T3Pwwo7ThCN dbhAojxUHZPNFzjCaFYE/iz41+5QJLf4Y2s= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1684367796863100005 Content-Type: text/plain; charset="utf-8" From: Subash Lakkimsetti Add the hob structure header for universal payload for secure boot and measure boot information from bootloaders. Universal payload spec definied at https://universalscalablefirmware.github.io/documentation/2_universal_paylo= ad.html Cc: Zhiguang Liu Cc: Ray Ni Cc: Gua Guo Signed-off-by: Subash Lakkimsetti --- .../UniversalPayload/SecureBootInfoGuid.h | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 MdeModulePkg/Include/UniversalPayload/SecureBootInfoGui= d.h diff --git a/MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h b/M= deModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h new file mode 100644 index 0000000000..5f0f75eb3a --- /dev/null +++ b/MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h @@ -0,0 +1,37 @@ +/** @file + This file defines the hob structure for the Secure boot information. + + Copyright (c) 2023, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef SECUREBOOT_INFO_GUID_H_ +#define SECUREBOOT_INFO_GUID_H_ + +#include + +/** + Secure Boot info Hob GUID +**/ +extern EFI_GUID gUniversalPayloadSecureBootInfoGuid; + +#define PAYLOAD_SECUREBOOT_INFO_HOB_REVISION 0x1 + +#define NO_TPM 0x0 +#define TPM_TYPE_12 0x1 +#define TPM_TYPE_20 0x2 + +#pragma pack(1) +typedef struct { + UNIVERSAL_PAYLOAD_GENERIC_HEADER Header; + UINT8 VerifiedBootEnabled; + UINT8 MeasuredBootEnabled; + UINT8 FirmwareDebuggerInitialized; + UINT8 TpmType; + UINT8 Reserved[3]; + UINT32 TpmPcrActivePcrBanks; +} UNIVERSAL_SECURE_BOOT_INFO; +#pragma pack() + +#endif // SECUREBOOT_INFO_GUID_H_ --=20 2.39.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#104991): https://edk2.groups.io/g/devel/message/104991 Mute This Topic: https://groups.io/mt/98982069/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 11:36:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+104992+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+104992+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1684367810; cv=none; d=zohomail.com; s=zohoarc; b=ceze01YMJaaIW8q9wnekd528xsRz9Rgze2n+bJ4bxHYfoSzavzMLOt87UJ+M6zEbrsbzvZBzsgaGq7iVcohZRQEyocqR7xUIHiqI2FJujuSrL4NXieyU/R3nS6UZLqLgWoU8QmV4T/ix32jDQ3FE/NVTKjdyz6+tG3xQZ0GciaE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1684367810; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=EMsMYperR4x/4CUEA/EQz30TpF8briPcmj+YFNrXATM=; b=QNar6Ov2apxOlnhh9fV5TTci0IuBByQNE+8xPflFS7zNSrP9mVzoD721eVZNpCuhTfdh6ZL25t5xDLfQuTYFEHwKeqL4C2RSXLUDWmyXJO7o7kMf4+HyBB8djmLAFs/V8c66Ii6AAAOXOhyMoxeutt73NH/q3gIkoMvhj9Jhl98= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+104992+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1684367810575645.821895088403; Wed, 17 May 2023 16:56:50 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id R6MvYY1788612xwcv5NvSOm4; Wed, 17 May 2023 16:56:50 -0700 X-Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by mx.groups.io with SMTP id smtpd.web11.3155.1684367809597397300 for ; Wed, 17 May 2023 16:56:49 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="332276013" X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; d="scan'208";a="332276013" X-Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:36 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="876208877" X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; d="scan'208";a="876208877" X-Received: from slakkim-mobl.amr.corp.intel.com ([10.212.56.110]) by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:35 -0700 From: "Subash Lakkimsetti" To: devel@edk2.groups.io Cc: Subash Lakkimsetti , Guo Dong , Ray Ni , Sean Rhodes , James Lu , Gua Guo Subject: [edk2-devel] [PATCH v2 2/6] UefiPayloadPkg: Add secureboot information HOBs Date: Wed, 17 May 2023 16:55:30 -0700 Message-Id: In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,subash.lakkimsetti@intel.com X-Gm-Message-State: VMHNgFEuz8ewwJemDBjmwABGx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1684367810; bh=bdHJlUTXzJf5mVmYLnRGh9t8l0TRkmpPDc73jsRKvGU=; h=Cc:Date:From:Reply-To:Subject:To; b=g26o7zKFeSYQzg3HFDqhPyBr2oPInAm93k6kbtTERSQzYY5WCxMbYMUcMuGJJ5rFXtK mSum/IcltuSbeMmB5ooMXjvtjohSNex8uW5ErcrAzxRQros2C0RkBolCHRt4DTlCaLTw2 mjuWt4lSMyQ+9Rpx3XcrZqKIL8IMZs7Ec2o= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1684367810992100002 Content-Type: text/plain; charset="utf-8" From: Subash Lakkimsetti This patch add the HOB fpr secure and measured boot information. This is populated by bootloader phase and uefipayload pkg uses this info to sync the TPM info PCDs. Cc: Guo Dong Cc: Ray Ni Cc: Sean Rhodes Cc: James Lu Cc: Gua Guo Signed-off-by: Subash Lakkimsetti --- UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c | 77 +++++++++++++++++++- UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf | 13 +++- UefiPayloadPkg/UefiPayloadPkg.dec | 4 +- UefiPayloadPkg/UefiPayloadPkg.dsc | 2 + 4 files changed, 92 insertions(+), 4 deletions(-) diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c b/UefiPayloadPkg/Bl= SupportDxe/BlSupportDxe.c index 2e70c4533c..13ac5582e2 100644 --- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c +++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c @@ -2,11 +2,14 @@ This driver will report some MMIO/IO resources to dxe core, extract smbi= os and acpi tables from bootloader. =20 - Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.
+ Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ #include "BlSupportDxe.h" +#include +#include +#include =20 /** Reserve MMIO/IO resource in GCD @@ -86,6 +89,73 @@ ReserveResourceInGcd ( return Status; } =20 +/** +Sync the Secure boot hob info and TPM PCD as per the information passed fr= om Bootloader. +**/ +EFI_STATUS +BlSupportSecurityPcdSync ( + VOID + ) +{ + EFI_STATUS Status; + EFI_HOB_GUID_TYPE *GuidHob; + UNIVERSAL_SECURE_BOOT_INFO *SecurebootInfoHob; + UINTN Size; + + GuidHob =3D GetFirstGuidHob (&gUniversalPayloadSecureBootInfoGuid); + if (GuidHob =3D=3D NULL) { + DEBUG ((DEBUG_ERROR, "gUniversalPayloadSecureBootInfoGuid Not Found!\n= ")); + return EFI_UNSUPPORTED; + } + + SecurebootInfoHob =3D (UNIVERSAL_SECURE_BOOT_INFO *)GET_GUID_HOB_DATA (G= uidHob); + + // Sync the Hash mask for TPM 2.0 as per active PCR banks. + // Make sure that the current PCR allocations, the TPM supported PCRs, + // and the PcdTpm2HashMask are all in agreement. + Status =3D PcdSet32S (PcdTpm2HashMask, SecurebootInfoHob->TpmPcrActivePc= rBanks); + ASSERT_EFI_ERROR (Status); + DEBUG ((DEBUG_INFO, "TpmPcrActivePcrBanks 0x%x \n", SecurebootInfoHob->T= pmPcrActivePcrBanks)); + + // Set the Firmware debugger PCD + Status =3D PcdSetBoolS (PcdFirmwareDebuggerInitialized, SecurebootInfoHo= b->FirmwareDebuggerInitialized); + ASSERT_EFI_ERROR (Status); + DEBUG ((DEBUG_INFO, " FirmwareDebugger Initialized 0x%x \n", SecurebootI= nfoHob->FirmwareDebuggerInitialized)); + + // Set the TPM Type instance GUID + if (SecurebootInfoHob->MeasuredBootEnabled) { + if (SecurebootInfoHob->TpmType =3D=3D TPM_TYPE_20) { + DEBUG ((DEBUG_INFO, "%a: TPM2 detected\n", __func__)); + Size =3D sizeof (gEfiTpmDeviceInstanceTpm20DtpmGuid); + Status =3D PcdSetPtrS ( + PcdTpmInstanceGuid, + &Size, + &gEfiTpmDeviceInstanceTpm20DtpmGuid + ); + } else if (SecurebootInfoHob->TpmType =3D=3D TPM_TYPE_12) { + DEBUG ((DEBUG_INFO, "%a: TPM1.2 detected\n", __func__)); + Size =3D sizeof (gEfiTpmDeviceInstanceTpm12Guid); + Status =3D PcdSetPtrS ( + PcdTpmInstanceGuid, + &Size, + &gEfiTpmDeviceInstanceTpm12Guid + ); + } else { + DEBUG ((DEBUG_INFO, "%a: No TPM detected\n", __func__)); + Size =3D sizeof (gEfiTpmDeviceInstanceNoneGuid); + Status =3D PcdSetPtrS ( + PcdTpmInstanceGuid, + &Size, + &gEfiTpmDeviceInstanceNoneGuid + ); + } + + ASSERT_EFI_ERROR (Status); + } + + return Status; +} + /** Main entry for the bootloader support DXE module. =20 @@ -144,5 +214,10 @@ BlDxeEntryPoint ( ASSERT_EFI_ERROR (Status); } =20 + // + // Sync Bootloader info for TPM + // + BlSupportSecurityPcdSync (); + return EFI_SUCCESS; } diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf b/UefiPayloadPkg/= BlSupportDxe/BlSupportDxe.inf index 96d85d2b1d..162167e6bb 100644 --- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf +++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf @@ -3,7 +3,7 @@ # # Report some MMIO/IO resources to dxe core, extract smbios and acpi tables # -# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.
+# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.
# # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -30,6 +30,7 @@ [Packages] MdePkg/MdePkg.dec MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec UefiPayloadPkg/UefiPayloadPkg.dec =20 [LibraryClasses] @@ -44,6 +45,10 @@ [Guids] gUefiAcpiBoardInfoGuid gEfiGraphicsInfoHobGuid + gUniversalPayloadSecureBootInfoGuid + gEfiTpmDeviceInstanceTpm20DtpmGuid + gEfiTpmDeviceInstanceTpm12Guid + gEfiTpmDeviceInstanceNoneGuid =20 [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdVideoHorizontalResolution @@ -52,6 +57,10 @@ gEfiMdeModulePkgTokenSpaceGuid.PcdSetupVideoVerticalResolution gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseSize - + ## SOMETIMES_CONSUMES + ## SOMETIMES_PRODUCES + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask + gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid [Depex] TRUE diff --git a/UefiPayloadPkg/UefiPayloadPkg.dec b/UefiPayloadPkg/UefiPayload= Pkg.dec index 8d111f3a90..63138500dd 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dec +++ b/UefiPayloadPkg/UefiPayloadPkg.dec @@ -3,7 +3,7 @@ # # Provides drivers and definitions to create uefi payload for bootloaders. # -# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.
+# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.
# SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -42,6 +42,8 @@ gSpiFlashInfoGuid =3D { 0x2d4aac1b, 0x91a5, 0x4cd5, { 0x9b, 0x5c,= 0xb4, 0x0f, 0x5d, 0x28, 0x51, 0xa1 } } gSmmRegisterInfoGuid =3D { 0xaa9bd7a7, 0xcafb, 0x4499, { 0xa4, 0xa9,= 0xb, 0x34, 0x6b, 0x40, 0xa6, 0x22 } } gS3CommunicationGuid =3D { 0x88e31ba1, 0x1856, 0x4b8b, { 0xbb, 0xdf,= 0xf8, 0x16, 0xdd, 0x94, 0xa, 0xef } } + gUniversalPayloadSecureBootInfoGuid =3D { 0xd970f847, 0x07dd, 0x4b2= 4, { 0x9e, 0x1e, 0xae, 0x6c, 0x80, 0x9b, 0x1d, 0x38 } } + =20 [Ppis] gEfiPayLoadHobBasePpiGuid =3D { 0xdbe23aa1, 0xa342, 0x4b97, {0x85, 0xb6,= 0xb2, 0x26, 0xf1, 0x61, 0x73, 0x89} } diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayload= Pkg.dsc index 998d222909..0e7093cc7d 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -584,6 +584,8 @@ =20 gPcAtChipsetPkgTokenSpaceGuid.PcdRtcIndexRegister|$(RTC_INDEX_REGISTER) gPcAtChipsetPkgTokenSpaceGuid.PcdRtcTargetRegister|$(RTC_TARGET_REGISTER) + gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28= , 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17} =20 ##########################################################################= ###### # --=20 2.39.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#104992): https://edk2.groups.io/g/devel/message/104992 Mute This Topic: https://groups.io/mt/98982073/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 11:36:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+104993+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+104993+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1684367810; cv=none; d=zohomail.com; s=zohoarc; b=FoP9S9ehyvZMyCKI4CGkenNqeesHIjFnHfU1bSrfcLniDXYJZiCPW9M+xP2LnijMWsSiXpFkFMs6Kskikqwhklwsm98pplmpEvE00x9crOODrlD8YAspIAQ9NFqFZGb60SiEu/GaTFuHbABcDhXnB2IC5Gs9txrS8g/L5lt0JNU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1684367810; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=CNduYTc8QsxwU95CNlzDA8cevPM0HHiwEH2yJOCfeOw=; b=cuvcBIMB/TaXaoM9LeMJ//EJJgycuC6JoGY2qzSed9tKbkyAOQjD8ibTWuyx/5GazcA4/BMsxPv+zN27kDZEnS737BIxSNLhkkeiOmaV29Mz+onWkvxxpKkzeGi80kOHfFN4g+2RB0Z+TcbRkXjc2uunct0hHTGOdbxN2Rl5W6c= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+104993+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1684367810983370.16681305323584; Wed, 17 May 2023 16:56:50 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id SAunYY1788612xdpkZx8n9xc; Wed, 17 May 2023 16:56:50 -0700 X-Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by mx.groups.io with SMTP id smtpd.web11.3155.1684367809597397300 for ; Wed, 17 May 2023 16:56:50 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="332276017" X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; d="scan'208";a="332276017" X-Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:38 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="876208905" X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; d="scan'208";a="876208905" X-Received: from slakkim-mobl.amr.corp.intel.com ([10.212.56.110]) by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:37 -0700 From: "Subash Lakkimsetti" To: devel@edk2.groups.io Cc: Subash Lakkimsetti , Guo Dong , Ray Ni , Sean Rhodes , James Lu , Gua Guo Subject: [edk2-devel] [PATCH v2 3/6] UefiPayloadPkg: Uninstall the TPM2 ACPI if present Date: Wed, 17 May 2023 16:55:31 -0700 Message-Id: <84423aea8ae134f67dcbca81467fb96197daa1b1.1684367408.git.subash.lakkimsetti@intel.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,subash.lakkimsetti@intel.com X-Gm-Message-State: 30KEw5f3IikE9KZJyaHhfyiqx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1684367810; bh=1G9Yw1F390KcpQygInDBvTfm2dPtBPd7C40fpP+AR44=; h=Cc:Date:From:Reply-To:Subject:To; b=XZEx1vVs/kzAhL9UgbeQMYlqhtKPa8qpyCh3ikzEVTFuTj2Xaj/vM4Cz3VjKuMXm/ne CruVaIY+uPOS6dS0u1wX9XYSHex72AcINQ0QOK6ULrp/675GpEh9KpindvcRiv6AIZRXV EbP/wvLlSyd2/2VD425jT8MKKG/Pw5WBkoI= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1684367811411100005 Content-Type: text/plain; charset="utf-8" From: Subash Lakkimsetti Bootloader supports multiple payload and TPM2 ACPI tables are updated at bootloader phase. When UEFI is used payload these will be duplicates. The tables are to be uninstalled before updating the TCG2ACPI tables to avoid duplicates. Cc: Guo Dong Cc: Ray Ni Cc: Sean Rhodes Cc: James Lu Cc: Gua Guo Signed-off-by: Subash Lakkimsetti --- UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.c | 282 ++++++++++++++++++ UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.h | 28 ++ .../TcgSupportDxe/TcgSupportDxe.inf | 54 ++++ 3 files changed, 364 insertions(+) create mode 100644 UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.c create mode 100644 UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.h create mode 100644 UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.inf diff --git a/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.c b/UefiPayloadPkg/= TcgSupportDxe/TcgSupportDxe.c new file mode 100644 index 0000000000..23b61f0958 --- /dev/null +++ b/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.c @@ -0,0 +1,282 @@ +/** @file + This module will provide bootloader support TCG configurations. + + Copyright (c) 22023, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ +#include "TcgSupportDxe.h" + +/** + Uninstall TPM2 SSDT ACPI table + + This performs uninstallation of TPM2 SSDT tables published by + bootloaders. + + @retval EFI_SUCCESS The TPM2 ACPI table is uninstalled successfull= y if found. + @retval Others Operation error. + +**/ +EFI_STATUS +UnInstallTpm2SSDTAcpiTables ( + ) +{ + UINTN TableIndex; + UINTN TableKey; + EFI_ACPI_TABLE_VERSION TableVersion; + VOID *TableHeader; + EFI_STATUS Status; + EFI_ACPI_SDT_PROTOCOL *mAcpiSdtProtocol; + EFI_ACPI_TABLE_PROTOCOL *mAcpiTableProtocol; + CHAR8 TableIdString[8]; + UINT64 TableIdSignature; + + // + // Determine whether there is a TPM2 SSDT already in the ACPI table. + // + Status =3D EFI_SUCCESS; + TableIndex =3D 0; + TableKey =3D 0; + TableHeader =3D NULL; + mAcpiTableProtocol =3D NULL; + mAcpiSdtProtocol =3D NULL; + + // + // Locate the EFI_ACPI_TABLE_PROTOCOL. + // + Status =3D gBS->LocateProtocol ( + &gEfiAcpiTableProtocolGuid, + NULL, + (VOID **)&mAcpiTableProtocol + ); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_INFO, + "UnInstallTpm2SSDTAcpiTables: Cannot locate the EFI ACPI Table Proto= col \n " + )); + return Status; + } + + // + // Locate the EFI_ACPI_SDT_PROTOCOL. + // + Status =3D gBS->LocateProtocol ( + &gEfiAcpiSdtProtocolGuid, + NULL, + (VOID **)&mAcpiSdtProtocol + ); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_INFO, + "UnInstallTpm2SSDTAcpiTables: Cannot locate the EFI ACPI Sdt Protoco= l, " + "\n" + )); + return Status; + } + + while (!EFI_ERROR (Status)) { + Status =3D mAcpiSdtProtocol->GetAcpiTable ( + TableIndex, + (EFI_ACPI_SDT_HEADER **)&TableHeader, + &TableVersion, + &TableKey + ); + + if (!EFI_ERROR (Status)) { + TableIndex++; + + if (((EFI_ACPI_SDT_HEADER *)TableHeader)->Signature =3D=3D SIGNATURE= _32 ('S', 'S', 'D', 'T')) { + CopyMem ((VOID *)TableIdString, (VOID *)((EFI_ACPI_SDT_HEADER *)Ta= bleHeader)->OemTableId, sizeof (TableIdString)); + + TableIdSignature =3D SIGNATURE_64 ( + TableIdString[0], + TableIdString[1], + TableIdString[2], + TableIdString[3], + TableIdString[4], + TableIdString[5], + TableIdString[6], + TableIdString[7] + ); + + if (TableIdSignature =3D=3D SIGNATURE_64 ('T', 'p', 'm', '2', 'T',= 'a', 'b', 'l')) { + DEBUG ((DEBUG_INFO, "Found Tpm2 SSDT Table for Physical Presence= \n")); + break; + } + } + } + } + + if (!EFI_ERROR (Status)) { + // + // A TPM2 SSDT is already in the ACPI table. + // + DEBUG (( + DEBUG_INFO, + "A TPM2 SSDT is already exist in the ACPI Table.\n" + )); + + // + // Uninstall the origin TPM2 SSDT from the ACPI table. + // + Status =3D mAcpiTableProtocol->UninstallAcpiTable ( + mAcpiTableProtocol, + TableKey + ); + ASSERT_EFI_ERROR (Status); + + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "UnInstall Tpm2SSDTAcpiTables failed \n ")); + + return Status; + } + } + + return EFI_SUCCESS; +} + +/** + Uninstall TPM2 table + + This performs uninstallation of TPM2 tables published by + bootloaders. + + @retval EFI_SUCCESS The TPM2 table is uninstalled successfully if = its found. + @retval Others Operation error. + +**/ +EFI_STATUS +UnInstallTpm2Tables ( + ) +{ + UINTN TableIndex; + UINTN TableKey; + EFI_ACPI_TABLE_VERSION TableVersion; + VOID *TableHeader; + EFI_STATUS Status; + EFI_ACPI_SDT_PROTOCOL *mAcpiSdtProtocol; + EFI_ACPI_TABLE_PROTOCOL *mAcpiTableProtocol; + + // + // Determine whether there is a TPM2 SSDT already in the ACPI table. + // + Status =3D EFI_SUCCESS; + TableIndex =3D 0; + TableKey =3D 0; + TableHeader =3D NULL; + mAcpiTableProtocol =3D NULL; + mAcpiSdtProtocol =3D NULL; + + // + // Locate the EFI_ACPI_TABLE_PROTOCOL. + // + Status =3D gBS->LocateProtocol ( + &gEfiAcpiTableProtocolGuid, + NULL, + (VOID **)&mAcpiTableProtocol + ); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_INFO, + "UnInstallTpm2Tables: Cannot locate the EFI ACPI Table Protocol \n " + )); + return Status; + } + + // + // Locate the EFI_ACPI_SDT_PROTOCOL. + // + Status =3D gBS->LocateProtocol ( + &gEfiAcpiSdtProtocolGuid, + NULL, + (VOID **)&mAcpiSdtProtocol + ); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_INFO, + "UnInstallTpm2Tables: Cannot locate the EFI ACPI Sdt Protocol, " + "\n" + )); + return Status; + } + + while (!EFI_ERROR (Status)) { + Status =3D mAcpiSdtProtocol->GetAcpiTable ( + TableIndex, + (EFI_ACPI_SDT_HEADER **)&TableHeader, + &TableVersion, + &TableKey + ); + + if (!EFI_ERROR (Status)) { + TableIndex++; + + if (((EFI_ACPI_SDT_HEADER *)TableHeader)->Signature =3D=3D EFI_ACPI_= 5_0_TRUSTED_COMPUTING_PLATFORM_2_TABLE_SIGNATURE ) { + DEBUG ((DEBUG_INFO, "Found Tpm2 Table ..\n")); + break; + } + } + } + + if (!EFI_ERROR (Status)) { + // + // A TPM2 SSDT is already in the ACPI table. + // + DEBUG (( + DEBUG_INFO, + "A TPM2 table is already exist in the ACPI Table.\n" + )); + + // + // Uninstall the origin TPM2 SSDT from the ACPI table. + // + Status =3D mAcpiTableProtocol->UninstallAcpiTable ( + mAcpiTableProtocol, + TableKey + ); + ASSERT_EFI_ERROR (Status); + + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "UnInstall Tpm2Tables failed \n ")); + + return Status; + } + } + + return EFI_SUCCESS; +} + +/** + The driver's entry point. + + It patches and installs ACPI tables used for handling TPM physical prese= nce + and Memory Clear requests through ACPI method. + + @param[in] ImageHandle The firmware allocated handle for the EFI image. + @param[in] SystemTable A pointer to the EFI System Table. + + @retval EFI_SUCCESS The entry point is executed successfully. + @retval Others Some error occurs when executing this entry poin= t. + +**/ +EFI_STATUS +EFIAPI +TcgSupportEntryPoint ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + + // + // Bootloader might pulish the TPM2 ACPT tables + // Uninstall TPM tables if it exists + // + Status =3D UnInstallTpm2SSDTAcpiTables (); + ASSERT_EFI_ERROR (Status); + + Status =3D UnInstallTpm2Tables (); + ASSERT_EFI_ERROR (Status); + + return EFI_SUCCESS; +} diff --git a/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.h b/UefiPayloadPkg/= TcgSupportDxe/TcgSupportDxe.h new file mode 100644 index 0000000000..bd1e051893 --- /dev/null +++ b/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.h @@ -0,0 +1,28 @@ +/** @file + The header file of bootloader support TCG configurations. + +Copyright (c) 2023, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef DXE_BOOTLOADER_SUPPORT_H_ +#define DXE_BOOTLOADER_SUPPORT_H_ + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#endif diff --git a/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.inf b/UefiPayloadPk= g/TcgSupportDxe/TcgSupportDxe.inf new file mode 100644 index 0000000000..a2e406109e --- /dev/null +++ b/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.inf @@ -0,0 +1,54 @@ +## @file +# Bootloader Support DXE Module +# +# Report some MMIO/IO resources to dxe core, extract smbios and acpi tables +# +# Copyright (c) 2023, Intel Corporation. All rights reserved.
+# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D TcgSupportDxe + FILE_GUID =3D E0E7E6A4-DD57-11ED-B5EA-0242AC120002 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + ENTRY_POINT =3D TcgSupportEntryPoint + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 EBC +# + +[Sources] + TcgSupportDxe.c + TcgSupportDxe.h + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + UefiPayloadPkg/UefiPayloadPkg.dec + +[LibraryClasses] + UefiDriverEntryPoint + UefiBootServicesTableLib + DebugLib + BaseMemoryLib + UefiLib + IoLib + HobLib + +[Protocols] + gEfiAcpiTableProtocolGuid ## CONSUMES + gEfiMmCommunicationProtocolGuid ## CONSUMES + gEfiAcpiSdtProtocolGuid ## CONSUMES + +[Guids] + gEfiAcpiTableGuid + +[Depex] + gEfiAcpiTableProtocolGuid --=20 2.39.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#104993): https://edk2.groups.io/g/devel/message/104993 Mute This Topic: https://groups.io/mt/98982074/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 11:36:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+104995+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+104995+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1684367812; cv=none; d=zohomail.com; s=zohoarc; b=ablPpJg8ZUTlhRpZSMxCo6WTtG1rVRzhO11dazuXDfKXQyyvYmrdqyLsnFAeKNB+2FEMdpf0JurCUf7gF03wofliXMkJR32XRF/fec+ZUZKKlF2lFF88R84oqMvtfJ4qVwnnSNDb0zSxHnpGjRirgsNPmhm8McC0+9PnoZ4LalI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1684367812; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=izmqS/Xw9gaLyMeFYQW7JvuIZQ3Ab/r4+ftDSYYcf80=; b=kFfROi2QP7ik7DTbQ922ygfjWjqO6hPH1oJX4lDwqObyanrYnaQEUF4BymWgJzDcrb5E4go9hU5YeXmtI6zUK8m7G3mTZ488FCcJH2Iv59l70DwbiInmXroJiXNeiyjaMOTlHZtvy4ceK2w2+Cn1tunNXwBtey+LnRpOiQZvk6w= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+104995+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1684367812915626.0168415846372; Wed, 17 May 2023 16:56:52 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id MsgJYY1788612xKEIZH9j50Z; Wed, 17 May 2023 16:56:52 -0700 X-Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by mx.groups.io with SMTP id smtpd.web11.3155.1684367809597397300 for ; Wed, 17 May 2023 16:56:51 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="332276028" X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; d="scan'208";a="332276028" X-Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:40 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="876208952" X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; d="scan'208";a="876208952" X-Received: from slakkim-mobl.amr.corp.intel.com ([10.212.56.110]) by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:39 -0700 From: "Subash Lakkimsetti" To: devel@edk2.groups.io Cc: Subash Lakkimsetti , Guo Dong , Ray Ni , Sean Rhodes , James Lu , Gua Guo Subject: [edk2-devel] [PATCH v2 4/6] UefiPayloadPkg: Add secure boot configurations Date: Wed, 17 May 2023 16:55:32 -0700 Message-Id: <80f7425d9598d3196a4dee6544bc5a80f9f8e447.1684367408.git.subash.lakkimsetti@intel.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,subash.lakkimsetti@intel.com X-Gm-Message-State: 4ASmBhPRxNxzdDQwrTtQ6TImx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1684367812; bh=oXqyl8cvf5JqyIVgvMwizJjmHvYB6mA/YvJTmfSp174=; h=Cc:Date:From:Reply-To:Subject:To; b=WvH46mdUenfcYyW5VaMXaKEDBopqlqPX9XPvJPRCtMsOloe0lcdTW5G/mx2jIeFzZtT 15Xc2OwZC8iT9OyFI5hr0RmJWFOe4vDaYCKWxFKk2CL4WVvAdkiAsM/Zwz9zPKwMw46Xm oOhrOogfdkPKdHHqyGanGH0j/c8paxrJUyU= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1684367814959100017 Content-Type: text/plain; charset="utf-8" From: Subash Lakkimsetti Add the required modules for secure boot in UefiPayloadPkg. SECURE_BOOT_ENABLE flag added to control the secure boot feature. Security modules are added as seperate FV. Cc: Guo Dong Cc: Ray Ni Cc: Sean Rhodes Cc: James Lu Cc: Gua Guo Signed-off-by: Subash Lakkimsetti --- UefiPayloadPkg/UefiPayloadPkg.dsc | 50 ++++++++++++++++++++++++- UefiPayloadPkg/UefiPayloadPkg.fdf | 29 ++++++++++++++ UefiPayloadPkg/UniversalPayloadBuild.py | 1 + 3 files changed, 79 insertions(+), 1 deletion(-) diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayload= Pkg.dsc index 0e7093cc7d..df078a1b28 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -133,6 +133,11 @@ =20 DEFINE MULTIPLE_DEBUG_PORT_SUPPORT =3D FALSE =20 + # + # Security + # + DEFINE SECURE_BOOT_ENABLE =3D FALSE + [BuildOptions] *_*_*_CC_FLAGS =3D -D DISABLE_NEW_DEPRECATED_INTERFACES !if $(USE_CBMEM_FOR_CONSOLE) =3D=3D FALSE @@ -290,7 +295,20 @@ DebugLib|MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebug= LibReportStatusCode.inf LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf + +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecu= reLibNull.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPo= licy/PlatformPKProtectionLibVarPolicy.inf + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf +!else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf +!endif + !if $(VARIABLE_SUPPORT) =3D=3D "EMU" TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem= entLibNull.inf !elseif $(VARIABLE_SUPPORT) =3D=3D "SPI" @@ -406,6 +424,16 @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf !endif =20 +[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, Libr= aryClasses.common.UEFI_APPLICATION] +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif + +[LibraryClasses.common.DXE_RUNTIME_DRIVER] +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + ##########################################################################= ###### # # Pcd Section - list of all EDK II PCD Entries defined by this Platform. @@ -475,6 +503,16 @@ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family = | PCD_CRYPTO_SERVICE_ENABLE_FAMILY !endif =20 +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE + + # override the default values from SecurityPkg to ensure images from all= sources are verified in secure boot + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0= x04 +!endif + [PcdsPatchableInModule.X64] !if $(NETWORK_DRIVER_ENABLE) =3D=3D TRUE gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|TRUE @@ -635,8 +673,18 @@ # Components that produce the architectural protocols # !if $(SECURITY_STUB_ENABLE) =3D=3D TRUE - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio= nLib.inf !endif + } +!endif + +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx= e.inf +!endif + UefiCpuPkg/CpuDxe/CpuDxe.inf MdeModulePkg/Universal/BdsDxe/BdsDxe.inf !if $(BOOTSPLASH_IMAGE) diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayload= Pkg.fdf index f8c2aa8c4a..d1f76b1e56 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.fdf +++ b/UefiPayloadPkg/UefiPayloadPkg.fdf @@ -201,6 +201,10 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRea= lTimeClockRuntimeDxe.inf INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf !endif =20 +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf= igDxe.inf +!endif + INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf !if $(MEMORY_TEST) =3D=3D "GENERIC" @@ -324,6 +328,31 @@ INF ShellPkg/DynamicCommand/DpDynamicCommand/DpDynamic= Command.inf INF ShellPkg/Application/Shell/Shell.inf !endif =20 +[FV.SECFV] +FvNameGuid =3D 2700E2F3-19D2-4E2D-9F13-BC891B9FC62C +BlockSize =3D $(FD_BLOCK_SIZE) +FvForceRebase =3D FALSE +FvAlignment =3D 16 +ERASE_POLARITY =3D 1 +MEMORY_MAPPED =3D TRUE +STICKY_WRITE =3D TRUE +LOCK_CAP =3D TRUE +LOCK_STATUS =3D TRUE +WRITE_DISABLED_CAP =3D TRUE +WRITE_ENABLED_CAP =3D TRUE +WRITE_STATUS =3D TRUE +WRITE_LOCK_CAP =3D TRUE +WRITE_LOCK_STATUS =3D TRUE +READ_DISABLED_CAP =3D TRUE +READ_ENABLED_CAP =3D TRUE +READ_STATUS =3D TRUE +READ_LOCK_CAP =3D TRUE +READ_LOCK_STATUS =3D TRUE + +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig= Dxe.inf +!endif + =20 ##########################################################################= ###### # diff --git a/UefiPayloadPkg/UniversalPayloadBuild.py b/UefiPayloadPkg/Unive= rsalPayloadBuild.py index 416946a431..4a8b76bacc 100644 --- a/UefiPayloadPkg/UniversalPayloadBuild.py +++ b/UefiPayloadPkg/UniversalPayloadBuild.py @@ -118,6 +118,7 @@ def BuildUniversalPayload(Args): ['uefi_fv', os.path.join(BuildDir, "{}_{}".format (BuildTar= get, ToolChain), os.path.normpath("FV/DXEFV.Fv")) ], ['bds_fv', os.path.join(BuildDir, "{}_{}".format (BuildTar= get, ToolChain), os.path.normpath("FV/BDSFV.Fv")) ], ['network_fv', os.path.join(BuildDir, "{}_{}".format (BuildTar= get, ToolChain), os.path.normpath("FV/NETWORKFV.Fv")) ], + ['security_fv', os.path.join(BuildDir, "{}_{}".format (BuildTa= rget, ToolChain), os.path.normpath("FV/SECFV.Fv")) ], ] AddSectionName =3D '.upld_info' ReplaceFv (EntryOutputDir, UpldInfoFile, AddSectionName, Alignment= =3D 4) --=20 2.39.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#104995): https://edk2.groups.io/g/devel/message/104995 Mute This Topic: https://groups.io/mt/98982076/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 11:36:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+104994+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+104994+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1684367812; cv=none; d=zohomail.com; s=zohoarc; b=lL0iaY7SNp0Nkaf9Bk751urNXN5B17zeB85En+CJan0Zn9guvCG40QZj+mftnlhY/lW0SJPB96o2xbVGiw9+MQZFxHfDuQEp8oLofwQp2MsRcKf66dGM4+9VhflavFRU1E1k9yNOT0LngeP2eQGufvNXRkadyIxalLs3fN5IaeA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1684367812; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=MUC6zmerFZKu5o9qzkMxAx6BWMBSRhY+UvhuyGdqw7Y=; b=YPhpVHYR23IAHNU1qG6Z7kG4Ajjz05zf0Q2nyR2CwETwcGE4ltrU7SMCWZi6+L3Fc0hlD7INncXoIUraX5Q+BP1aCc+2Gy7QWH2j2SUiNWvDH2j3D+1+L1hl/zxrjRSZO29u4xWhkroxCJfDI1zfYvc6K5ZcRMh0f4Ex01qu1Fo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+104994+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1684367812434916.8530890962942; Wed, 17 May 2023 16:56:52 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id lOoZYY1788612xqYyXnwOqsj; Wed, 17 May 2023 16:56:52 -0700 X-Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by mx.groups.io with SMTP id smtpd.web11.3155.1684367809597397300 for ; Wed, 17 May 2023 16:56:51 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="332276041" X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; d="scan'208";a="332276041" X-Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:42 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="876208962" X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; d="scan'208";a="876208962" X-Received: from slakkim-mobl.amr.corp.intel.com ([10.212.56.110]) by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:42 -0700 From: "Subash Lakkimsetti" To: devel@edk2.groups.io Cc: Subash Lakkimsetti , Guo Dong , Ray Ni , Sean Rhodes , James Lu , Gua Guo Subject: [edk2-devel] [PATCH v2 5/6] Uefipayloadpkg Enable TPM measured boot Date: Wed, 17 May 2023 16:55:33 -0700 Message-Id: In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,subash.lakkimsetti@intel.com X-Gm-Message-State: L2p0hxMZC6cNXcTFJxtOidBox1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1684367812; bh=mgpK3nunSpet5xh7DSSmlcIC/c1pWxFSK4niB3s5zGw=; h=Cc:Date:From:Reply-To:Subject:To; b=SehlqyayPlTKMTh5vB35PxmCa5WRW8G+fEU/wac/XonM98OgTib2BXJQenSRYW4fhiB 3cOhu7v9sMkxcZ+J8SEAMLtc5sXxv2pPG6NF29RTfJdZKuwgkbEJMYDk7jDStxUTEBxMx NTwuwojCwL1V9DCChN4bsIKTa9Ohpi7JiHI= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1684367812789100007 Content-Type: text/plain; charset="utf-8" From: Subash Lakkimsetti Update the packages to support TPM and measured boot in uefi payload. Measured boot can be controlled using flag MEASURED_BOOT_ENABLE. Cc: Guo Dong Cc: Ray Ni Cc: Sean Rhodes Cc: James Lu Cc: Gua Guo Signed-off-by: Subash Lakkimsetti --- UefiPayloadPkg/UefiPayloadPkg.dsc | 96 +++++++++++++++++++++++++++++-- UefiPayloadPkg/UefiPayloadPkg.fdf | 53 +++++++++++++++-- 2 files changed, 139 insertions(+), 10 deletions(-) diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayload= Pkg.dsc index df078a1b28..0c4c0297ca 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -137,6 +137,7 @@ # Security # DEFINE SECURE_BOOT_ENABLE =3D FALSE + DEFINE MEASURED_BOOT_ENABLE =3D FALSE =20 [BuildOptions] *_*_*_CC_FLAGS =3D -D DISABLE_NEW_DEPRECATED_INTERFACES @@ -309,14 +310,29 @@ AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf !endif =20 -!if $(VARIABLE_SUPPORT) =3D=3D "EMU" - TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem= entLibNull.inf -!elseif $(VARIABLE_SUPPORT) =3D=3D "SPI" - PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecu= reLibNull.inf - TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure= mentLib.inf +!if $(VARIABLE_SUPPORT) =3D=3D "SPI" S3BootScriptLib|MdePkg/Library/BaseS3BootScriptLibNull/BaseS3BootScriptL= ibNull.inf - MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibN= ull.inf !endif + +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE || $(MEASURED_BOOT_ENABLE) =3D=3D TR= UE || $(VARIABLE_SUPPORT) =3D=3D "SPI" + MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLib= Null.inf +!endif + + # + # TPM + # +!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE + Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.i= nf + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf + Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibN= ull.inf + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure= mentLib.inf + Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/D= xeTcg2PhysicalPresenceLib.inf +!else + TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem= entLibNull.inf +!endif + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL= ib.inf VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var= iablePolicyHelperLib.inf @@ -424,6 +440,11 @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf !endif =20 +!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE && $(SMM_SUPPORT) =3D=3D TRUE + Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/Sm= mTcg2PhysicalPresenceLib.inf +!endif + + [LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, Libr= aryClasses.common.UEFI_APPLICATION] !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf @@ -625,6 +646,14 @@ gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28= , 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17} =20 +!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE + + # (BIT0 - SHA1. BIT1 - SHA256, BIT2 - SHA384, BIT3 - SHA512, BIT4 - SM3_= 256) + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x000000016 + gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0x000000016 +!endif + + ##########################################################################= ###### # # Components Section - list of all EDK II Modules needed by this Platform. @@ -677,6 +706,10 @@ !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio= nLib.inf +!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE + NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib= .inf + NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.i= nf + !endif !endif } !endif @@ -685,6 +718,57 @@ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx= e.inf !endif =20 +!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE + SecurityPkg/Tcg/TcgDxe/TcgDxe.inf { + + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLib= DTpm.inf + } + + SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf { + + PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf + } + +!if $(SMM_SUPPORT) =3D=3D TRUE + SecurityPkg/Tcg/TcgSmm/TcgSmm.inf { + + TcgPpVendorLib|SecurityPkg/Library/TcgPpVendorLibNull/TcgPpVendorLibNu= ll.inf + + } +!endif + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf { + + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibR= outerDxe.inf + NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf + } +!if $(SMM_SUPPORT) =3D=3D TRUE + SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf { + + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg= 2.inf + } +!endif + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { + + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibR= outerDxe.inf + HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCrypt= oRouterDxe.inf + NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf + NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf + NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256= .inf + NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384= .inf + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf + } + SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf + SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { + + TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarc= hyLib/PeiDxeTpmPlatformHierarchyLib.inf + } + SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { + + TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarc= hyLib/PeiDxeTpmPlatformHierarchyLib.inf + } +!endif #MEASURED_BOOT_ENABLE + UefiCpuPkg/CpuDxe/CpuDxe.inf MdeModulePkg/Universal/BdsDxe/BdsDxe.inf !if $(BOOTSPLASH_IMAGE) diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayload= Pkg.fdf index d1f76b1e56..6629ec8993 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.fdf +++ b/UefiPayloadPkg/UefiPayloadPkg.fdf @@ -60,6 +60,7 @@ FILE FV_IMAGE =3D 4E35FD93-9C72-4c15-8C4B-E77F1DB2D793 { SECTION FV_IMAGE =3D DXEFV } =20 + !if $(NETWORK_DRIVER_ENABLE) =3D=3D TRUE ##########################################################################= ###### [FV.NETWORKFV] @@ -201,10 +202,6 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRea= lTimeClockRuntimeDxe.inf INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf !endif =20 -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE - INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf= igDxe.inf -!endif - INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf !if $(MEMORY_TEST) =3D=3D "GENERIC" @@ -307,6 +304,7 @@ INF MdeModulePkg/Universal/Acpi/AcpiPlatformDxe/AcpiPl= atformDxe.inf INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphics= ResourceTableDxe.inf !endif =20 + !if $(UNIVERSAL_PAYLOAD) =3D=3D FALSE INF MdeModulePkg/Universal/BdsDxe/BdsDxe.inf # @@ -328,6 +326,29 @@ INF ShellPkg/DynamicCommand/DpDynamicCommand/DpDynamic= Command.inf INF ShellPkg/Application/Shell/Shell.inf !endif =20 +!if $(UNIVERSAL_PAYLOAD) =3D=3D FALSE + +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig= Dxe.inf +!endif + +!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE + INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf +!if $(SMM_SUPPORT) =3D=3D TRUE + INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf +!endif + INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf + INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf + INF RuleOverride =3D DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.= inf + INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +!if $(SMM_SUPPORT) =3D=3D TRUE + INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf +!endif + INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +!endif #MEASURED_BOOT_ENABLE + +!endif + [FV.SECFV] FvNameGuid =3D 2700E2F3-19D2-4E2D-9F13-BC891B9FC62C BlockSize =3D $(FD_BLOCK_SIZE) @@ -353,6 +374,20 @@ READ_LOCK_STATUS =3D TRUE INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig= Dxe.inf !endif =20 +!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE + INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf +!if $(SMM_SUPPORT) =3D=3D TRUE + INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf +!endif + INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf + INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf + INF RuleOverride =3D DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.= inf + INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +!if $(SMM_SUPPORT) =3D=3D TRUE + INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf +!endif + INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +!endif #MEASURED_BOOT_ENABLE =20 ##########################################################################= ###### # @@ -472,3 +507,13 @@ INF SecurityPkg/VariableAuthenticated/SecureBootConfig= Dxe/SecureBootConfigDxe.in UI STRING=3D"Enter Setup" VERSION STRING=3D"$(INF_VERSION)" Optional BUILD_NUM=3D$(BUILD_NUMBE= R) } + +[Rule.Common.DXE_DRIVER.DRIVER_ACPITABLE] + FILE DRIVER =3D $(NAMED_GUID) { + DXE_DEPEX DXE_DEPEX Optional $(INF_OUTPUT)/$(MODULE_NAME).depex + PE32 PE32 $(INF_OUTPUT)/$(MODULE_NAME).efi + RAW ACPI Optional |.acpi + RAW ASL Optional |.aml + UI STRING=3D"$(MODULE_NAME)" Optional + VERSION STRING=3D"$(INF_VERSION)" Optional BUILD_NUM=3D$(BUILD_NUMBE= R) + } --=20 2.39.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#104994): https://edk2.groups.io/g/devel/message/104994 Mute This Topic: https://groups.io/mt/98982075/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 11:36:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+104996+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+104996+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1684367813; cv=none; d=zohomail.com; s=zohoarc; b=i85LYtRC5S8+S6FVfVbTCOjqz1awJLMAiMFKGyf2wD8mhyVdtyP5AvXrUGGdaHDdZIh40vzJViDNOzbTopC34bXWMfc778+sCSmeZawmm3FxyEre9VwJQ/x8+zWL9v313BlF2R+EylTVcWboZcOZ9GX2cxpv/A4yAwRhS+UPZi0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1684367813; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=MLgCrvwine70+TuMOlH6qvaPR61WTF0BEM3SJvK9FzU=; b=eUPOUmFCeOkUUL/ISyaiZDqQAbw0QlE+zzngu34FaWZ5xDKO5Kwg7HlDrVEfqHmiEw8vairBremNc5akIe6Qwg6itkfaPHXCkQ8P1ySKDlzQ0/Jxq7NKP+WTDb5vVz7Jcqd/JvzufHVZkafRC0FS6/tB0tvR+Wq+9Zn/qGxZe9E= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+104996+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1684367813285888.1866871741786; Wed, 17 May 2023 16:56:53 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id DR3vYY1788612xUcH0z87KHm; Wed, 17 May 2023 16:56:53 -0700 X-Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by mx.groups.io with SMTP id smtpd.web11.3155.1684367809597397300 for ; Wed, 17 May 2023 16:56:52 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="332276051" X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; d="scan'208";a="332276051" X-Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:45 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="876208972" X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; d="scan'208";a="876208972" X-Received: from slakkim-mobl.amr.corp.intel.com ([10.212.56.110]) by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:44 -0700 From: "Subash Lakkimsetti" To: devel@edk2.groups.io Cc: Subash Lakkimsetti , Guo Dong , Ray Ni , Sean Rhodes , James Lu , Gua Guo Subject: [edk2-devel] [PATCH v2 6/6] UefiPayloadPkg: Add secure boot definitions to ci build Date: Wed, 17 May 2023 16:55:34 -0700 Message-Id: <616b0485c41d2199d991a36a9cf92b25672a1bb1.1684367408.git.subash.lakkimsetti@intel.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,subash.lakkimsetti@intel.com X-Gm-Message-State: pUex3rVpO56TaTnaH0H3RC2kx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1684367813; bh=at6Rr5e0uD1RoBfEa+FGhFZKPxLJgqK2vQ1tBeSPrNg=; h=Cc:Date:From:Reply-To:Subject:To; b=oZm8DQaYHBP7MATfcuq02WTgZUNkOrALi6rFV5AgGJWa5wn0BskFsCa1Dphj8BuMcw9 bW+EiKB55KkwIi7d8KfqnJfMqMjKBX0dAS3DWPzO9/cBDdTpifIeHvJbQbd394fG2a3VH x1+ZZsfrRLU0KDGaDmtqNVGdXyGcNvV+5pw= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1684367815378100019 Content-Type: text/plain; charset="utf-8" From: Subash Lakkimsetti Define the build flags for secure boot and measure boot for ci builds Cc: Guo Dong Cc: Ray Ni Cc: Sean Rhodes Cc: James Lu Cc: Gua Guo Signed-off-by: Subash Lakkimsetti --- UefiPayloadPkg/UefiPayloadPkg.ci.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/UefiPayloadPkg/UefiPayloadPkg.ci.yaml b/UefiPayloadPkg/UefiPay= loadPkg.ci.yaml index 278f271c36..e594ea6c20 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.ci.yaml +++ b/UefiPayloadPkg/UefiPayloadPkg.ci.yaml @@ -92,5 +92,7 @@ "BLD_*_EMU_VARIABLE_ENABLE": "FALSE", "BLD_*_DISABLE_RESET_SYSTEM": "TRUE", "BLD_*_SERIAL_DRIVER_ENABLE": "FALSE", + "BLD_*_SECURE_BOOT_ENABLE": "TRUE", + "BLD_*_MEASURED_BOOT_ENABLE": "TRUE", } } --=20 2.39.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#104996): https://edk2.groups.io/g/devel/message/104996 Mute This Topic: https://groups.io/mt/98982077/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-